letsencrypt生成的证书对不上号。 about one-key-ikev2-vpn HOT 8 CLOSED

我测试时使用acme来申请letsencrypt证书。
在 ~/.acme.sh/example.com/目录下：

ca.cer 就是CA，example.com.cer是域名的证书，example.com.key是私钥

csr文件是制作来申请证书的请求文件，一般只有在证书申请时才用得到。
如果你还有申请pkcs12证书的话，还会有一个.pfx的证书文件，这个只是给部分客户端导入才用得到的。

不清楚letsencrypt给你的是哪几个，你需要重命名的就是上面的前3个。

from one-key-ikev2-vpn.

Hi @quericy

There are several private keys and certs under my_key/ , which one should be installed on the mobile device ?

from one-key-ikev2-vpn.

@HuKeping If you import SSL cert ,then you don't need to install it on the client. Otherwise, you need to install the ca.cert.pem .

from one-key-ikev2-vpn.

Thank you @quericy ! I installed the ca.cert.pem and it can be connected now!

from one-key-ikev2-vpn.

Hi @quericy I get my phone connected to the VPN successfully but after that it can not get access to the internet, I checked the log on my VPS by ipsec status which shows the IP for my phone is 10.31.2.1. I wonder if it was the xxx.1 address is not a valid one since it always be reserved for the gateway.

from one-key-ikev2-vpn.

@HuKeping I think you may need to open the ip_forward or check the POSTROUTING iptables rules.

from one-key-ikev2-vpn.

我看别人的文章http://blog.zorro.im/posts/strongswan-ikev2-for-ios-with-letsencrypt.html
用certbot生成证书，设置应该是这样的
ipsec.conf
leftcert=fullchain.pem

ipsec.secret
: RSA privkey.pem

文章提及的拷贝位置为（域名和路径自己改吧）
cp /etc/letsencrypt/live/your.domain/fullchain.pem /etc/ipsec.d/certs
cp /etc/letsencrypt/live/your.domain/privkey.pem /etc/ipsec.d/private

from one-key-ikev2-vpn.

@sunshineplan 没有必要用fullchain吧. 如果中间证书颁发机构是受信任的,连接时已经可以获取完整的证书链了,直接使用域名的证书就可以了.

from one-key-ikev2-vpn.